Legal
Data Processing Agreement
DPA
This Data Processing Agreement (hereinafter referred to as "DPA"), together with Terms and Conditions and Privacy Policy, forms the Agreement between:
- Client is defined as in Terms and Conditions (hereinafter referred to as "Controller" or "Business") and
- Spoks Technologies Inc., a Delaware C-Corporation with registered office 1111 B South Governors Ave, STE 29541, Dover, DE 19904 US, File number: 10178760 (hereinafter referred to as „Spoks", "Processor", „Data Processor" or "Service Provider").
Controller and Processor collectively hereinafter referred to as the "Parties" and each individually as the "Party"
Definitions
For purposes of this Data Processing Agreement, the following terms shall have the meanings set forth below:
„Applicable Data Protection Laws" means all data protection and privacy laws and regulations that govern or are otherwise applicable to the Processing of Personal Data under this Agreement, based on the jurisdiction and residency of the relevant Data Subjects. This includes, without limitation:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – "GDPR");
- The United Kingdom General Data Protection Regulation, as incorporated into UK law pursuant to Section 3 of the European Union (Withdrawal) Act 2018, together with the UK Data Protection Act 2018 ("UK GDPR");
- The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020(collectively, the "CCPA/CPRA");
- As well as any other applicable federal, state, or international data protection laws, including but not limited to the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act, to the extent they apply to the Processing of Personal Data under this Agreement.
"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
„Personal Data" means any information relating to Data Subject that is Processed by the Processor on behalf of the Controller.
„Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to Personal Data
„Processing" has the meaning given in Applicable Data Protection Laws. For example, it means any operation or set of operations performed on Personal Data, whether by automated means or not, including but not limited to collection, reception, storage, organization, retrieval, disclosure, transmission, erasure, and destruction of data.
"Standard Contractual Clauses" (SCCs) – for the purposes of this Agreement, shall mean the standard contractual clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses between controllers and processors and for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("GDPR"). SCCs serve as a legal mechanism ensuring an adequate level of protection for personal data transferred outside the European Economic Area (EEA) and contain binding obligations on the parties regarding the security and lawfulness of such transfers, in accordance with Article 46(2)(c) of the GDPR
„Subprocessor" means any third party engaged by Processor to Process Personal Data.
Scope and Applicability
This DPA applies to the extent Processor Processes Personal Data on behalf of the Controller in the course of providing the Services as defined in the Terms and Conditions.
The parties agree that:
- Under the GDPR, the Controller is the Data Controller and the Processor is the Data Processor;
- Under the CCPA/CPRA and similar U.S. laws, the Controller is the Business and the Processor is the Service Provider;
- Under other Applicable Data Protection Laws, roles are determined according to the specific definitions in such laws.
Nature and Purpose of Processing
The Processor shall process Personal Data on behalf of the Controller solely for the purpose of enabling the Controller to manage, organize, and execute marketing activities such as newsletters, campaigns, and related communications with the Controller's customers and contacts.
The Processor shall not use the Personal Data for any independent purpose or outside the scope of the Controller's instructions.
The Types of Personal Data that are processed by the Processor may include:
- Contact Information: Names, email addresses, phone numbers, and postal addresses
- Technical Data: IP addresses, device identifiers, browser information
- Marketing Data: Communication preferences, engagement metrics, campaign responses.
The nature of the processing is predominantly automated and involves the handling of electronic Personal Data through the Processor's software platform and related infrastructure. The Processor may also process Personal Data manually where required for support, maintenance, or compliance activities.
The Processing shall be performed for the term of the Agreement and any applicable retention period thereafter.
Processor Obligations
- Processor shall process Personal Data solely on documented instructions from the Controller and exclusively for the purposes set forth in the Agreement and this Data Processing Agreement.
- The Processor shall not retain, use, or disclose Personal Data for any purpose other than providing the services agreed upon.
- The Processor shall not sell Personal Data.
- The Processor shall ensure that all personnel within its organization authorized to process Personal Data are bound by confidentiality obligations, whether by contract or statute and are granted access to Personal Data only to the extent necessary to properly perform their duties.
- Processor shall implement and maintain appropriate technical and organizational measures to ensure the security of Personal Data.
The Processor shall provide reasonable assistance to the Controller to enable the Controller to comply with its legal obligations under applicable data protection laws, including:
- Responding to Data Subject requests (to the extent technically feasible through the Services),
- Supporting compliance with security, breach notification, and impact assessment requirements,
- Providing information reasonably necessary for compliance audits.
- Notify the Controller about a Personal Data Breach according to Section 8.
- At the Controller's choice, delete or return all Personal Data upon termination of the Agreement, unless legally required to retain it.
- Make available all information necessary to demonstrate compliance and allow audits under Section 9.
- The Processor shall promptly notify the Controller if it receives any legally binding requests from law enforcement or regulatory authorities for disclosure of Personal Data, unless prohibited by law.
Controller Obligations
- The Controller represents and warrants that it shall comply with all obligations applicable to it under Applicable Data Protection Law. This includes but is not limited to obtaining all necessary consents and having a lawful basis to collect and provide Personal Data to the Processor.
- The Controller is solely responsible for the legality of the data provided to Spoks.
- The Controller shall not instruct the Processor to perform any Processing that would violate applicable law.
- The Controller shall not use the Spoks Platform to process Personal Data for unlawful, discriminatory, or deceptive purposes, or in a way that infringes upon the rights and freedoms of data subjects.
- The Controller is solely responsible for ensuring that the Personal Data provided to Spoks is accurate, complete, and kept up to date. The Controller must notify the Processor promptly of any changes or corrections to the Personal Data that may affect Processing accuracy.
- The Controller shall provide instructions to the Processor regarding the Processing of Personal Data. The Processor shall be entitled to rely on the instructions provided through the Controller's use of the Spoks Platform, as configured by the Controller via the Processor's platform. If additional or conflicting instructions are issued, they must be provided in writing. The Controller acknowledges that changes to the instructions may impact the scope, pricing, or availability of services.
- The Controller is solely responsible for responding to Data Subject requests under Applicable Data Protection Law and determining the appropriate response to such requests.
The Controller agrees to indemnify, defend, and hold harmless the Processor against any and all claims, losses, liabilities, damages, costs, and expenses (including reasonable legal fees) arising out of or related to the Controller's failure to comply with its obligations, including but not limited to:
- Controller's breach of its obligations under this DPA or Applicable Data Protection Laws,
- Controller's violation of any Data Subject's rights,
- The accuracy, legality, or source of Personal Data,
- Controller's instructions to the Processor.
The Controller shall promptly cooperate with the Processor in good faith to enable compliance with this DPA and all applicable laws, including but not limited to assisting with regulatory inquiries or data protection authority audits relating to Processing and investigations and responses to Personal Data breaches.
Subprocessors
- Controller authorizes Processor to engage Sub-Processors for the purposes of providing the Services.
- Current Sub-Processors are listed in Annex II. Controller approves these Sub-Processors as of the Effective Date.
- The Processor may engage new Sub-processors by updating Annex II, providing 7 (seven) days prior written notice to the Controller.
- Processor shall enter into an agreement with each Sub-Processor containing equivalent obligations as those in this DPA, to ensure compliance with relevant data protection regulations.
- The data controller has the right to object to the appointment of new subprocessors, within 7 (seven) days.
- In the aforementioned circumstances, the Parties shall engage in good faith efforts to reach a mutually acceptable alternative. Should no consensus be reached and the Processor nevertheless proceeds with the engagement of the contested sub-processor, the Controller shall be entitled to terminate the Agreement by providing thirty (30) days' prior written notice. Such termination shall not constitute a breach of contract.
International Data Transfers
In the event that the Processor receives or otherwise processes Personal Data originating from the European Economic Area (EEA), the United Kingdom (UK) and Switzerland, the Processor shall ensure that such transfers are conducted in full compliance with applicable Data Protection Laws. To this end, the Processor shall implement appropriate safeguards. Such safeguards might include, but are not limited to execution of Standard Contractual Clauses (SCCs), as set forth in Annex III to this Agreement.
Personal Data Breach
In the event of a Personal Data Breach, the Processor shall notify the Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of such breach.
The Processor shall provide sufficient information to allow the Controller to fulfill its notification obligations and shall cooperate fully with the Controller in investigating the breach, mitigating its effects, and preventing future occurrences.
Such notification shall contain a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences, and the measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
In the event that it is not possible to provide all information at the same time, the initial notification shall contain the information then available, and further information shall, as it becomes available, subsequently be provided without undue delay.
Audit Rights
The Controller may audit the Processor's compliance with this DPA once per calendar year, with 30 days' prior notice, during business hours. Audits may be conducted by a third party under confidentiality obligations.
The Processor may alternatively provide a recent, third-party audit report or certification.
Data Retention and Deletion
Processor retains Personal Data only as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements.
Upon expiration or termination of the Agreement, and at the Controller's written request, the Processor shall promptly return all Personal Data to the Controller or securely delete such data unless otherwise required by law to retain it.
The Processor shall provide written confirmation of the deletion upon the Controller's request.
Jurisdiction
The parties hereby submit to the exclusive jurisdiction of the Delaware Court of Chancery, or if such court lacks subject matter jurisdiction, the United States District Court for the District of Delaware, for the resolution of any disputes, claims, or controversies arising out of or relating to this DPA, including but not limited to disputes concerning the processing of Personal Data, or the performance of the parties' obligations hereunder, subject to the paragraph below.
Notwithstanding the foregoing, to the extent the dispute involves Personal Data of Data Subjects located in the European Economic Area, Switzerland, or the United Kingdom, the governing law and jurisdictional provisions set forth in the Standard Contractual Clauses Module Two, as incorporated into the Data Processing Agreement (Appendix III), shall apply. For disputes arising under the SCCs, the parties agree to the jurisdiction of the courts of the Republic of Ireland, as specified in Clause 17 of the SCCs, and to be governed by the law of the Republic of Ireland, as specified in Clause 18 of the SCCs.
The Parties acknowledge that EU data protection authorities retain their investigative and enforcement powers under the GDPR, regardless of the jurisdiction selected herein.
Amendments
This DPA may only be amended by a written agreement signed by authorized representatives of both parties, except:
- The Processor may update Annex I (Security Measures) and Annex II (Sub-processors) as provided herein;
- updates required for legal compliance with 30 (thirty) days' notice.
Acceptance and Incorporation
This DPA is automatically incorporated into and forms part of the Terms and Conditions between the parties. By accepting the Terms and Conditions, the Controller is deemed to have accepted the terms of this DPA.
List of Annexes
- Annex I: Technical and Organizational Security Measures
- Annex II: Current Sub-processors
- Annex III: Standard Contractual Clauses (where applicable)
Annex I: Technical and Organizational Security Measures
Organizational and technical safeguards to protect data:
- Encryption of data in transit and at rest,
- Access controls and authentication requirements,
- Security monitoring and incident response,
- Regular security assessments,
- Employee training and confidentiality obligations
Annex II: Current Sub-processors
A current list of Spoks' subprocessors that might Process Personal Data:
- Google Inc.
- Functional Software Inc. (Sentry.io)
- Twilio Inc. (Segment.com)
Annex III: Standard Contractual Clauses (where applicable)
In case of Processing Privacy Data of Data Subject from European Economic Area, in order to ensure an adequate level of protection for such data, the SCC shall be incorporated to this DPA, as follows:
The Module applicable to the transfer of Personal Data originating from the EEA under the DPA is Module 2 – „Controller to Processor".
Where Commission Implementing Decision permits selection of options in the Clauses of the SCCs, the following selections are made:
- The clause 7 will not apply.
- In Clause 9, Option 2 will apply with and the time period shall be 7 (seven) days.
- In Clause 17, Option 7 will apply and the governing law shall be the law of Republic of Ireland.
- In Clause 18, and those shall be the courts of Republic of Ireland.